Banks, critical sectors must share info on cyber attacks
Major changes aimed at beefing up cyber security under proposed Bill
Firms in 11 critical sectors will be required to report security breaches and incidents, and cyber security vendors providing highly sensitive services must be licensed if the proposed Cybersecurity Bill is passed by Parliament.
In the event of a cyber attack, banking and privacy rules that forbid the sharing of confidential information will also be superseded under the new law.
Banks must report to the proposed Commissioner of Cybersecurity "within hours" of an attack and share information with Singapore's Cyber Security Agency (CSA) in an investigation. Those who fail to do so can be fined or jailed.
A draft of the Bill was released yesterday for public consultation until Aug 3.
If passed, the Bill will empower the CSA to manage and respond to cyber security threats and incidents.
The Commissioner of Cybersecurity can investigate threats and incidents to ensure essential services in 11 critical sectors - including telecommunications, transport, healthcare, banking and energy - are not disrupted in a cyber attack.
The new law will also standardise the requirements to protect the critical information infrastructure (CII) that is necessary for the continuous delivery of essential services across the public and private sectors.
This is done by mandating that organisations in critical sectors share information to help CSA's investigations of cyber threats or incidents.
CSA chief executive David Koh said: "The current legislation, the Computer Misuse and Cybersecurity Act, focuses more on cybercrime.
"As the (threat) landscape evolves, it is better to have an omnibus Bill that oversees the cyber security of (essential services) as a whole."
The next step — enforcement — will be critical.Fortinet's country manager for Singapore, Mr Thiantara Kruathorn
The recent Advanced Persistent Threat (APT) attacks on two local universities, as well as the WannaCry and NotPetya global malware attacks serve as stark reminders of Singapore's vulnerability to cyber threats, said the CSA and Ministry of Communications and Information (MCI) in a joint statement.
Under the new law, vendors providing investigative services that involve hacking and forensic examination and non-investigative services, such as managed security operations, must be licensed.
Investigative cyber security service practitioners such as hackers must also apply for an individual licence.
Those found not to have the required licences can be fined up to $50,000 and/or jailed up to two years.
Cyber security experts told The New Paper the proposed regulations are timely in helping Singapore prevent and mitigate cyber incidents on critical infrastructure.
Check Point Software's regional managing director for South Asia, Mr Collin Penman, said: "The general need for such framework is designed to ensure that cyber security incidents are acted upon effectively and not covertly covered up by the CIIs."
Trend Micro Singapore's country manager, Mr David Siah, said the framework for licensing and regulating cyber security providers will ensure such services meet industry standards.
Symantec's chief technology officer for Asia, Mr Matthias Yeo, said many countries, including the European Union, China and India, have implemented a similar regulatory framework for their CII owners.
"We believe that this is in line with international standards and is the right direction for Singapore," Mr Yeo said.
But Fortinet's country manager for Singapore, Mr Thiantara Kruathorn, said the Bill is merely the first step.
"The next step - enforcement - will be critical. The CSA needs to put in place the right mechanisms to ensure that all parties in the cyber security ecosystem adhere to the points within the Bill."
FOR MORE, READ THE STRAITS TIMES TODAY